1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies the password log file from the default Mimikatz memssp module.", 6 "from": "now-9m", 7 "index": [ 8 "winlogbeat-*", 9 "logs-endpoint.events.*", 10 "logs-windows.*" 11 ], 12 "language": "eql", 13 "license": "Elastic License v2", 14 "name": "Mimikatz Memssp Log File Detected", 15 "query": "file where file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", 16 "risk_score": 73, 17 "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", 18 "severity": "high", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Windows", 23 "Threat Detection", 24 "Credential Access" 25 ], 26 "threat": [ 27 { 28 "framework": "MITRE ATT&CK", 29 "tactic": { 30 "id": "TA0006", 31 "name": "Credential Access", 32 "reference": "https://attack.mitre.org/tactics/TA0006/" 33 }, 34 "technique": [ 35 { 36 "id": "T1003", 37 "name": "OS Credential Dumping", 38 "reference": "https://attack.mitre.org/techniques/T1003/" 39 } 40 ] 41 } 42 ], 43 "timestamp_override": "event.ingested", 44 "type": "eql", 45 "version": 4 46} 47